How to Monitor Linux Server Security with Osquery

Osquery is a free open source, powerful and cross-platform SQL-based operating system instrumentation, monitoring, and analytics framework for Linux, FreeBSD, Windows, and Mac/OS X systems, built by Facebook. It is a simple and easy-to-use operating system explorer.

It combines a number of tools which perform low-level OS analytics and monitoring; these tools reveal an operating system as a high-performance relational database such as MySQL/MariaDB, PostgreSQL and more, where OS concepts are represented in tabular form, thus allowing users to employ SQL commands to carry out system monitoring and analytics.

Osquery use a simple plugin and extensions API to implement SQL tables, there is a collection of tables in existence ready for use, and more are being written. Some tables can only be found on a specific operating system, for instance, you only find the kernel_modules table on Linux systems.

Additionally, you can run queries to monitor and analyze OS state on a single host via the osqueryi shell, or on several hosts on a network via a scheduler or execute them from any of your custom applications using osquery Thrift APIs.

How to Install Osquery in Linux

The Osquery can be installed from the official repository using apt yum or dnf package management tool on your respective Linux distribution as shown.

On Debian/Ubuntu

$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
$ sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
$ sudo apt update
$ sudo apt install osquery

On RHEL/CentOS

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo yum-config-manager --enable osquery-s3-rpm-repo
$ sudo yum install osquery

On Fedora 22+

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ dnf config-manager --add-repo --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo dnf config-manager --set-enabled osquery-s3-rpm
$ sudo dnf install osquery

How to Monitor and Analyze Linux Using Osquery

Once you have successfully installed Osquery on your system, launch the osqueryi shell to start querying the state of your OS as shown.

$ osqueryi

Using a virtual database. Need help, type '.help'
osquery> 

To get a summarized Linux system information run the following command.

osquery> SELECT  * FROM system_info;
Get Linux System Info
Get Linux System Info

To get a well formated list of all users on the Linux system, run the following query.

osquery> SELECT * FROM users;
List of All Linux Users
List of All Linux Users

To get a list of all Linux kernel modules and their status, run the following query.

osquery> SELECT * FROM kernel_modules;
List All Kernel Modules in Linux
List All Kernel Modules in Linux

To get a list of all installed RPM packages on CentOS, RHEL and Fedora, run the following query.

osquery> .all rpm_packages;
List All Installed RPM Packages
List All Installed RPM Packages

To get a informatin about running Linux processes, run the following query.

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';
List Linux Processes Information
List Linux Processes Information

If you are running osquery on a desktop and have Firefox or Chrome installed, you can list all your add-ons using the following query.

osquery> .all firefox_addons;
osquery> .all  chrome_extensions;

To display a list of all implemented tables in Linux, use the .tables command as shown.

osquery> .tables;	#list all implemented tables
osquery> .help; 	#view help message

Osquery also provides file integrity monitoring (FIM), and process and socket auditing features and more, thus it is an intrusion detection tool, but this calls for certain configurations before you can deploy it for such a purpose. You can find more information from the Osquery Github repository.

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

4 thoughts on “How to Monitor Linux Server Security with Osquery”

  1. The Fedora install has two problems:

    # dnf config-manager --add-repo --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
    

    Should be

    # dnf config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
    

    and

    # sudo dnf config-manager --set-enabled osquery-s3-rpm
    

    Should be

    # sudo dnf config-manager --set-enabled osquery-s3-rpm-repo
    
    Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.